Blog

Android 8.0 (a.k.a. Android Oreo) was released on eclipse day last week by Google. It brings several enhancements to improve user experience and bolster platform security.

Some of the changes that affected the security benchmark were:

Redesigned Settings Menu – This required us to update the audit and remediation steps for all the 39 recommendations in the benchmark. The settings area and various menus have been reorganized to make things as simple and straightforward as possible.

Instant apps - Instant apps allow you to use apps without installing them on your device. On clicking app links, the browser downloads and run app modules as desired by the user. The new recommendation – “1.28 Ensure 'Instant apps' is set to Disabled” reads that “Having exposure to an app like this is dangerous since any malicious link could then potentially trick the user and then browser could download the app code and run on your device without requiring installation. Also, this feature defies enterprise security that relies on blacklisting or whitelisting apps based on installation. Hence, it is recommended to turn off instant apps.”

Cavirin is pleased to announce the inclusion of the latest framework from NIST – the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 draft. The latest revision is a major update to the original 2014 document, and includes a common security vocabulary to help with cyber supply chain management. For example, a small business selecting a cloud service provider or a federal agency contracting with a system integrator.

The ease of implementation and the ability to span multiple workload environments (i.e., IaaS, PaaS, on-premise, VMs, containers, and in the future, FaaS), delivering a single view, is integral for mid-size and enterprise organizations. Ideally, if initially deployed on-premise, the same tools and applications will extend into the cloud. This implies that the platform architecture has been conceived from the start for hybrid environments. Flexibility also includes ease of installation from a cloud service provider’s marketplace.

2: Extensibility

DevOps-friendly open APIs open the platform to external data sources and sinks such as IAM/PAM, SIEM/UEBA, logging, threat intelligence, or a helpdesk. This out-of-the box cloud and API interoperability is essential to accommodate business-critical applications. APIs also enable integration into an organization’s CI/CD process and their DevOps tools. This of course relates to lifecycle container support that encompasses images, the container runtimes, and orchestration.

3: Responsiveness

As today’s security threats quickly multiply, minimizing the time required for implementation and time to baseline, as well as quickly identifying any changes in posture, has become vital. This implies a microservices-based architecture for elastic scaling, and an agentless architecture that adapts well to containers and function-based workloads as well as eliminating ‘agent’ bloat that impacts CPU, memory, and I/O.

4: Agility

Permitting the organization to initially sample what part of the network (fraction of workloads) is critical to them within a given time period, and then scale from there. The cloud provides this agility, and the security tool architecture must be designed to follow suit.

5: Deep Discovery

It’s essential to automatically identify existing and new workloads as well as changes to existing ones across multiple cloud service providers, and then the ability to properly group these by function. This discovery should be a simple process, leveraging existing AuthN and AuthZ policies to avoid having to create a special IAM policy every time.

6: Broad Policy Library

The platform must support a wide range of benchmarks / frameworks / guidelines and the creation of custom polices based on workload type. These policies should automatically apply to existing and new workloads. Broad coverage also relates to OSs, virtualization, and cloud service providers. Capabilities may include OS hardening, vulnerability and patch management, configuration management, whitelisting, and system monitoring.

7: Real Time Risk Scoring Across Infrastructure

Assets, once discovered and with policies applied, must be scored. This may be individually, across different slices of the infrastructure (i.e., location, subnet, department), by workload type across environments (i.e., cloud and on-premise), or by application (i.e., PCI, web). Scoring must be prioritized, available historically, integrated with 3rd party tools for automation or into an existing UI, and most importantly, correlated. For example, an organization operates a web server farm with 10 on-premise Red Hat Enterprise Linux servers and begins to transition to the cloud. Mid-way through the migration, five web servers are on Azure, and five on-premise. If tracking PCI compliance, the tool must generate a normalized view across both environments.

8: Container (Docker) Support

Docker technology has attracted the attention of many enterprise adopters -- if you are implementing containers either on-premise or as part of a cloud deployment, you need to ensure that their workloads are secure. And, if you bring in images from a registry, you need to ensure that these are not corrupted. Many of the same capabilities described in (6) apply here as well, such as hardening, scanning, and whitelisting. One way to look at container support is across a lifecycle that includes image scanning, run-time hardening, and security at the orchestration layer.

9: Cloud-agile Pricing

Reflecting the cloud compute and storage pricing model, it’s important to adopt a pricing model that has the exibility to meet changing requirements. This may involve a SaaS offering, or connecting the back-end of the platform to the cloud service provider’s billing engine, with an ability to charge to the minute. Alternatively, pricing may be abstracted but still agile, closer to the concept of committed and burst workloads, and analogous to a cellphone provider’s rollover-minutes model. In either case, this is a departure from existing static pricing.

10: Intelligence

Predictive analytics permits the platform to ‘predict’ the outcome of change, a ‘what-if’ analysis for con gurations and OSs, is crucial in today’s quickly changing environment. It is capable of bringing in data from 3rd parties via APIs to create a more correlated view of this change. Some customers describe this as a ‘virtual whiteboard.’

Through 2020, 90% of cloud breaches will be due to customer misconfiguration, mismanaged credentials, or insider theft, and not cloud provider vulnerabilities

89% of breached organizations had a firewall in place at the time of compromise

70% of all healthcare data breaches were due to device theft or loss

In one case, a US health insurer experienced a data breach of millions of patient (PHI) records, with a direct cost of only 4% but a total exposure of $1.68B

Is there a way out?

We’re pleased to announce the availability of our eBook, ‘A Modern Approach to Securing Hybrid Workloads.’ It looks at how to build an architecture that is both continuous and agile for cloud infrastructure security, reducing the potential threat of a breach by providing a single, hybrid view, across private and public clouds. We look at the following challenges facing CISOs, their IT staff, and DevSecOps, and outline solutions.

What are the challenges facing today’s CISO with regard to information overload and accountability?

Why continuous security is so critical in the cloud and for containers

The shared responsibility model and where enterprises trip up

Fundamentals of a cloud-native security architecture including micro-services and APIs

I’m happy to announce the availability of the latest benchmark addressing the container ecosystem – the Kubernetes 1.7 Security Benchmark. Kubernetes 1.7 brings tons of security improvements. We, at CIS Kubernetes community, have been busy to give you an updated benchmark quickly. Download your copy from the CIS website. For an additional perspective on the release and enterprise-scale capabilities, please check out the google blog.

This version of the benchmark has undergone changes to reflect the above improvements. Below is a quick summary.

About Cavirin

Cavirin is the only organization that delivers cyberposture intelligence for the hybrid cloud by providing real-time risk & cybersecurity posture management, continuous compliance, further integrating security into DevOps.